With certificate-inspection, it should not cause any problems with Certificate Pinning since it is not replacing the SSL Certificate. Can you do a packet capture and look to see if there's any sessions that have the certificate replaced with FGT's certificate? I could check for you too if you can send me the pcap.

We have similar issue with App Store. You will need to do some packet captures to check. Usually is the communication to the Akamai cache that gives problem. Whitelist Akamai range from SSL inspeciton solve it for us but it is far from ideal.I am also seeking for root cause and a more secure solution.

In my case the problem turned out not to be certificate pinning, but instead that the FortiGate wasn't properly matching iPhone and iPad types. Instead of matching the policy for mobile devices it was matching a more generic policy for that subnet to the wan. The more generic policy didn't allow some of the services needed for the iOS devices.

My workaround was to have the policy rule instead match to the specific devices themselves. This wasn't too bad to do for our small group, but would be a nightmare for a large company.

I tried changing back to matching the device types instead (iPhone and iPad) with 5.4.6 but still see it failing to match sometimes. It's frustrating because I can't get it to regularly happen, otherwise I would report it as a bug.